Win2000 Server Intrusion Detection

A well-configured Win2000 server can protect against more than 90% of intrusions and infiltrations, but as I mentioned at the end of the previous chapter: System security is a continuous process, along with new The emergence of vulnerabilities and changes in server applications, the security status of the system is also constantly changing; at the same time, because offense and defense is a unity of contradictions, the long-term demon and the devil are also constantly changing, so the system is more sophisticated. Administrators cannot guarantee that a server that is providing services will never be compromised for a long time.

Therefore, the security configuration server is not the end of security work, but it is the beginning of a long and tedious security work. In this article, we will initially discuss the initial techniques of Win2000 server intrusion detection, hoping to help you maintain the server for a long time. Safety.

The intrusion detection mentioned in this article refers to the detection of the functions of Win2000 Server and the software/scripts written by the system administrator. The technique of using firewall or intrusion detection system (IDS) is not in this paper. Within the scope of the discussion.

Now assume that we have a Win2000 Server server and have undergone a preliminary security configuration (see Win2000 Server Security Configuration Getting Started <1> for details on security configuration), in this case, Most intruders will be turned away. (Haha, my administrator can go home and sleep.) Slow, I am talking about most, not all. After the initial security configuration, the server can defend most of the script kid (script family - only use Someone who wrote a program to invade the server), encountered a real master, is still vulnerable. Although the real master does not enter other people's servers casually, it is difficult to ensure that several evil-handed evil masters have taken a fancy to your server. (I am really so bad?) Moreover, there is often a period of vacuum between the discovery of vulnerabilities and the release of patches. Anyone who knows the vulnerability information can take advantage of it. At this time, the intrusion detection technology is very important.

The detection of intrusion is mainly based on the application. If the corresponding service is provided, there should be a corresponding detection and analysis system for protection. For the general host, the following should be paid attention to: >

1, based on 80-port intrusion detection

WWW service is probably one of the most common services, and because this service is facing a large number of users, the service traffic and complexity are very high, so The most vulnerable vulnerabilities and intrusion techniques for this service. For NT, IIS has always been a headache for system administrators (I can't wait to shut down port 80), but fortunately, the logging feature that comes with IIS can be a powerful helper for intrusion detection to some extent. The log file that comes with IIS is stored in the System32/LogFiles directory by default. It is generally scrolled by 24 hours. It can be configured in detail in the IIS Manager. (How can I match you, but if you don't record in detail, you can't find the intruder's IP and don't cry.)

Now let's assume (how do you always assume that you are bothering?) Urgent, I can't really black out a host in order to write this article, so I have to assume that we assume a WEB server and open the WWW service. You are the system administrator of this server and have carefully configured it. IIS, using W3C extended log format, and at least recorded time (Time), client IP (Client IP), method (Method), URI resource (URI Stem), URI query (URI Query), protocol status (Protocol Status), we use the more popular Unicode vulnerability for analysis: Open the IE window, enter: 127.0.0.11/scripts/..%c1% 1c../winnt/system32/cmd.exe in the address bar? /c+dir By default, you can see the directory listing (what? You have done security configuration, can't see it? Restore the default installation, we have to do an experiment), let's take a look at the IIS logs. What's up, open Ex010318.log (Ex stands for W3C extended format, followed by a string of numbers representing the log record date): 07:42:58 127.0.0.1 GET /scripts/..../winnt/system32cmd.exe /The log above c+dir 200 indicates that at 07:42:58 GMT (ie 23:42:58 GMT), there is a guy (intruder) who uses Unicode on your machine from the IP of 127.0.0.1. Vulnerability (%c1%1c is decoded as "", the actual situation will be slightly different due to different Windows language versions) Run cmd.exe, the parameter is /c dir, the result is successful (HTTP 200 stands for correct return). (Wow, the record is really full, I don’t dare to play Unicode casually.)

In most cases, IIS logs will faithfully record any requests it receives (also have special IIS records attacks, which we will discuss later, so a good system administrator should be good at using this to discover intrusion attempts to protect your system. However, IIS logs are tens of megabytes, and traffic is even dozens of G. It is almost impossible to manually check. The only option is to use log analysis software to write a log analysis software (in fact, a text filter) in any language. Very simple, but considering some actual situations (such as the administrator will not write the program, or the log analysis software can not be found on the server), I can tell you a simple method, let's say you want to know if anyone from port 80 To try to get your Global.asa file, you can use the following CMD command: find "Global.asa" ex010318.log /i This command uses the built-in find.exe tool from NT (so you can't find it in an emergency) ), you can easily find the string you want to filter from the text file, "Global.asa" is the string to be queried, ex010318.log is the text file to be filtered, /i means ignore the case. Because I have no intention of writing this article as a Microsoft Help document, please check the Win2000 help file for other parameters of this command and the usage of its enhanced version of FindStr.exe.